Botnet Reputation and Content Scanning in Nessus

With today’s plugin updates, Nessus now has the capability to warn you of hosts that are being controlled by botnets or hosting links to known malware or phishing sites.

Nessus uses a list of botnet infected hosts that is updated daily to search for your scan targets and report if the host is a known botnet zombie or is in command and control node. This is done regardless of the plugins or credentials specified and does not require sending any packets to the host to perform this check. Such hosts have been previously observed as sending malicious traffic to third-party systems across the Internet or taking an active role in attempting to control or compromise hosts for the botnet.

In addition to checking for inclusion in a botnet, Nessus will also report if a scan target is hosting links to web site addresses and specific URLs that are used by known botnets to propagate or re-directing to sites hosting phishing content. During the testing of CGI scripts, Nessus will scan the content of web pages looking for references to this type of malicious content. The ability to discover if an asset hosts botnet related malware or pages designed to steal credentials from unsuspecting users (e.g., fake eBay or banking login pages) is an incredible way to augment vulnerability scans.

To leverage this feature, make sure that your Nessus scans are looking at web site content. To enable this feature, set the Preferences -> Global Settings -> Enable CGI Tests setting to “enabled”. 

The following Nessus plugins perform the botnet and malicious website content analysis:

  • 52670 – Web Site Links to malicious Content
  • 52669 – Host is listed in Known Bot Database

This update is available to all Nessus users including the Nessus ProfessionalFeed and HomeFeed subscriptions, the Nessus PerimeterService and SecurityCenter customers. Tenable also offers a variety of log analysis, NetFlow analysis and passive network traffic analysis solutions which can help identify system events, user behavior and network traffic that is indicative of a botnet. To learn more about these solutions, please visit our web site or watch any of the following on-demand webinars: